TSG-10056: DNS data_entry入口函数命中策略,并设置了ratelimit的标志,但是返回值为killother导致未进入all_entry函数入口,故未执行ratelimit的动作
This commit is contained in:
liuxueli
@@ -30,6 +30,7 @@ enum TSG_METHOD_TYPE
|
||||
TSG_METHOD_TYPE_TAMPER,
|
||||
TSG_METHOD_TYPE_DEFAULT,
|
||||
TSG_METHOD_TYPE_APP_DROP,
|
||||
TSG_METHOD_TYPE_ALLOW,
|
||||
TSG_METHOD_TYPE_MAX
|
||||
};
|
||||
|
||||
|
||||
@@ -56,12 +56,12 @@ static int set_drop_stream(const struct streaminfo *a_stream, tsg_protocol_t pro
|
||||
return STATE_DROPME|STATE_DROPPKT;
|
||||
}
|
||||
|
||||
static int set_ratelimit_flag(const struct streaminfo *a_stream)
|
||||
static int set_dropme_flag(const struct streaminfo *a_stream)
|
||||
{
|
||||
struct master_context *_context=(struct master_context *)get_struct_project(a_stream, g_tsg_para.context_project_id);
|
||||
if(_context!=NULL)
|
||||
{
|
||||
_context->is_ratelimit=1;
|
||||
_context->is_dropme=1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -675,7 +675,7 @@ static unsigned char do_action_ratelimit(const struct streaminfo *a_stream, Maat
|
||||
bucket=NULL;
|
||||
}
|
||||
|
||||
set_ratelimit_flag(a_stream);
|
||||
set_dropme_flag(a_stream);
|
||||
|
||||
context=NULL;
|
||||
|
||||
|
||||
@@ -1593,6 +1593,13 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct
|
||||
context->hited_para.hited_app_id=hited_app_id;
|
||||
context->hited_para.after_n_packets=after_n_packets;
|
||||
}
|
||||
else
|
||||
{
|
||||
if(identify_result->origin==ORIGIN_BASIC_PROTOCOL && after_n_packets>0) //for tsg_protocol_t
|
||||
{
|
||||
context->hited_para.after_n_packets=after_n_packets;
|
||||
}
|
||||
}
|
||||
|
||||
return hit_num;
|
||||
}
|
||||
@@ -1627,7 +1634,8 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
||||
}
|
||||
|
||||
copy_result_to_project(a_stream, context, p_result, context->domain, context->proto, PULL_FW_RESULT, a_stream->threadnum);
|
||||
state=APP_STATE_KILL_OTHER|APP_STATE_DROPME;
|
||||
context->is_dropme=1; //only tcp
|
||||
state=APP_STATE_KILL_OTHER|APP_STATE_GIVEME;
|
||||
break;
|
||||
}
|
||||
else
|
||||
@@ -1671,7 +1679,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1);
|
||||
state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER;
|
||||
|
||||
tsg_set_method_to_tcpall(a_stream, &tmp_tcpall_context, TSG_METHOD_TYPE_UNKNOWN, a_stream->threadnum);
|
||||
tsg_set_method_to_tcpall(a_stream, &tmp_tcpall_context, TSG_METHOD_TYPE_ALLOW, a_stream->threadnum);
|
||||
break;
|
||||
case TSG_ACTION_INTERCEPT:
|
||||
if(is_intercept_exclusion(a_stream, p_result, context->domain, a_stream->threadnum))
|
||||
@@ -1938,7 +1946,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
|
||||
break;
|
||||
}
|
||||
|
||||
if(context->is_ratelimit==1 && a_stream->type==STREAM_TYPE_TCP)
|
||||
if(context->is_dropme==1 && a_stream->type==STREAM_TYPE_TCP)
|
||||
{
|
||||
state=APP_STATE_KILL_OTHER|APP_STATE_DROPME;
|
||||
}
|
||||
@@ -1968,10 +1976,13 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
|
||||
struct master_context *data_context=NULL;
|
||||
struct tcpall_context *all_context=(struct tcpall_context *)(*pme);
|
||||
|
||||
if(stream_state==OP_STATE_PENDING)
|
||||
if(stream_state==OP_STATE_PENDING && all_context->method_type!=TSG_METHOD_TYPE_ALLOW)
|
||||
{
|
||||
if(all_context->method_type==TSG_METHOD_TYPE_UNKNOWN)
|
||||
{
|
||||
all_context->method_type=TSG_METHOD_TYPE_DEFAULT;
|
||||
all_context->after_n_packets=get_default_para(a_stream, g_tsg_para.default_compile_id);
|
||||
}
|
||||
|
||||
hit_num=tsg_scan_nesting_addr(g_tsg_maat_feather, a_stream, PROTO_UNKONWN, &scan_mid, result, MAX_RESULT_NUM);
|
||||
if(hit_num>0)
|
||||
@@ -2085,7 +2096,7 @@ extern "C" unsigned char TSG_MASTER_UDP_ENTRY(const struct streaminfo *a_udp, vo
|
||||
}
|
||||
|
||||
state2=tsg_master_data_entry(a_udp, (void **)&(context->data_entry), thread_seq, a_packet);
|
||||
if(state2==APP_STATE_GIVEME)
|
||||
if(!(state2&APP_STATE_DROPME))
|
||||
{
|
||||
state1=tsg_master_all_entry(a_udp, a_udp->opstate, (void **)&(context->all_entry), thread_seq, a_packet);
|
||||
}
|
||||
|
||||
@@ -228,7 +228,7 @@ struct master_context
|
||||
{
|
||||
unsigned char is_esni;
|
||||
unsigned char is_log;
|
||||
unsigned char is_ratelimit;
|
||||
unsigned char is_dropme;
|
||||
unsigned char deal_pkt_num;
|
||||
unsigned char is_app_link;
|
||||
unsigned char pad;
|
||||
|
||||
@@ -2846,6 +2846,7 @@ int tsg_set_method_to_tcpall(const struct streaminfo *a_stream, struct tcpall_co
|
||||
|
||||
switch(_context->method_type)
|
||||
{
|
||||
case TSG_METHOD_TYPE_UNKNOWN:
|
||||
case TSG_METHOD_TYPE_DEFAULT:
|
||||
case TSG_METHOD_TYPE_MIRRORED:
|
||||
_context->method_type=method_type;
|
||||
@@ -2876,6 +2877,7 @@ int tsg_set_bucket_to_tcpall(const struct streaminfo *a_stream, struct tcpall_co
|
||||
return 1;
|
||||
break;
|
||||
case TSG_METHOD_TYPE_DEFAULT:
|
||||
case TSG_METHOD_TYPE_UNKNOWN:
|
||||
break;
|
||||
default:
|
||||
return 0;
|
||||
|
||||
Reference in New Issue
Block a user